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Abstract. The square root modulo problem is a known primitive in designing 
an asymmetric cryptosystem. It was first attempted by Rabin. Decryption 
failure of the Rabin cryptosystem caused by the 4-to-l decryption output is 
overcome efficiently in this work. The proposed scheme (known as the AAp- 
cryptosystem) has its encryption speed having a complexity order faster than 
the Diffie-Hellman Key Exchange, El-Gammal, RSA and ECC. It can also 
transmit a larger data set securely when compared to existing asymmetric 
schemes. It has a simple mathematical structure. Thus, it would have low 
computational requirements and would enable communication devices with 
low computing power to deploy secure communication procedures efficiently. 



1. Introduction 

The Rabin cryptosystem that utilizes the square root modulo problem, is said 
to be an optimal implementation of RSA with the encryption exponent e = 2 [9] . 
However, the situation of a 4-to-l mapping during decryption has deterred it from 
being utilized. Mechanisms to ensure its possible implementation have been pro- 
posed, however the solutions either still have a possibility of decryption failure or 
the performance against the RSA is inadequate. As a consequence other underlying 
cryptographic primitives have taken centre stage. The discrete log problem (DLP) 
and the elliptic curve discrete log problem (ECDLP) has been the source of security 
for cryptographic schemes such as the Diffie Hellman key exchange (DHKE) proce- 
dure, El-Gamal cryptosystem and elliptic curve cryptosystem (ECC) respectively 
PQ , [7] ■ As for the world renowned RSA cryptosystem, the inability to find the e-th 
root of the ciphertext C modulo N from the congruence relation C = M e (mod N) 
coupled with the inability to factor N = pq for large primes p and q is its fundamen- 
tal source of security [10]. It has been suggested that the ECC is able to produce 
the same level of security as the RSA with shorter key length. Thus, ECC should 
be the preferred asymmetric cryptosystem when compared to RSA |15j . Hence, the 
notion "cryptographic efficiency" is conjured. That is, to produce an asymmetric 
cryptographic scheme that could produce security equivalent to a certain key length 
of the traditional RSA but utilizing shorter keys. However, in certain situations 
where a large block needs to be encrypted, RSA is the better option than ECC 
because ECC would need more computational effort to undergo such a task [T2] . 
Thus, adding another characteristic toward the notion of "cryptographic efficiency" 
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which is it must be less "computational intensive" and be able to transmit large 
blocks of data (when needed). In 1998 the cryptographic scheme known as NTRU 
was proposed with better "cryptographic efficiency" relative to RSA and ECC [3] 
[5] [6]. NTRU has a complexity order of 0(n 2 ) for both encryption and decryption 
as compared to DHKE, EL-Gammal, RSA and ECC (all have a complexity order 
of 0(n 3 )). As such, in order to design a state-of-the-art public key mechanism, the 
following are characteristics that must be "ideally" achieved (apart from other well 
known security issues): 

(1) Shorter key length. If possible shorter than ECC 160-bits. 

(2) Speed. To have speed of complexity order 0(n 2 ) for both encryption and 
decryption. 

(3) Able to increase data set to be transmitted asymmetrically. That is, not to 
be restricted in size because of the mathematical structure. 

(4) Simple mathematical structure for easy implementation. 

In this paper, we attempt to efficiently enhance an asymmetric cryptosystem 
based on the square root problem as its cryptogrpahic primitive. That is, we will 
efficiently redesign Rabin's cryptosytem that has decryption failure due to a 4-to- 
1 mapping. We will show that in our design for encryption, it does not involve 
"expensive" mathematical operation. Only basic multiplication is required without 
division or modulo operation. 

The layout of this paper is as follows. The Rabin cryptosystem will be discussed 
in Section 2. Previous designs to overcome the decryption failure of the Rabin 
cryptosystem will also be presented here. The mechanism of the A^-cryptosystem 
will be detailed in Section 3. In Section 4, the authors detail the decryption process 
and provide a proof of correctness. An example will also be presented. Continuing 
in Section 5, we will discuss a congruence attack, a Coppersmith type attack and 
a Euclidean division attack. An analysis of lattice based attack will be given in 
Section 6. Section 7 will be about the underlying security principles of the AAp 
scheme. A table of comparison between the AAp scheme against RSA, ECC and 
NTRU is given in Section 8. Finally, we shall conclude in Section 9. 

2. The Rabin Cryptosystem 

Let us begin by stating that the communication process is between A (Along) 
and B (Busu), where Busu is sending information to Along after encrypting the 
plaintext with Along's public key. 

• Key Generation by Along 

INPUT: Generate two random n-bit prime numbers p and q. 
OUTPUT: The public key N = pq and the private key pair (p, q). 

Remark 2.1. To simplify computation one may choose p = q = 3 (mod 4). 

• Encryption by Busu 

INPUT: The public key N and the message M where < M < N - 1. 
OUTPUT: The ciphertext C = M 2 (mod N). 
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• Decryption by Along 

INPUT: The private key pair (p, q) and the ciphertext C. 
OUTPUT: The plaintext M. 

Remark 2.2. Computing the square roots of C modulo N using the private keys 
(p,q), would result in 4 square roots of C modulo N. Thus, the "infamous" de- 
cryption failure scenario. 

2.1. Redundancy Schemes for Unique Decryption. In order to overcome the 
decryption failure, it is necessary to have a scheme that could provide the plaintext 
upon decryption without having to guess. We provide here a brief description of 3 
existing solution techniques. 

(1) Redundancy in the message |8]. This scheme has a probability decryp- 
tion failure of approximately where / is the least significant binary 
string of the message. 

(2) Extra bits [2 . One will send 2 extra bits of information to specify the 
square root. The encryption process requires the computation of the Jacobi 
symbol. This results in a computational overhead which is much more than 
just computing a single square modulo N. 

(3) Williams technique [14]. The encryption process requires the encrypter 
to compute a Jacobi symbol. Hence, losing the performance advantage of 
Rabin over RSA (as in point no. 2). 

In the next section, we will present an efficient enhancement of Rabin's cryp- 
tosystem that does not inherit the above properties. 



• Key Generation by Along 

INPUT: The size n of the prime numbers. 

OUTPUT: A public key tuple (n, e^i, e-Ai) and a private key pair (pq, d). 
(1) Generate two random and distinct n-bit strong primes p and q satisfying 



(2) Choose random d such that d > (p 2 q)® ■ 

(3) Choose random integer e such that ed = l(mod pq) and add multiples of 
pq until 2 3 ™+ 4 < e < 2 3 "+ 6 (if necessary). 

(4) Set e A i = P 2 q- We have 2 3n < e A i < 2 3 ™+ 3 . 

(5) Set e A 2 = e. 

(6) Return the public key tuple (n, e^i, zai) and a private key pair (pq, d). 
We also have the fact that 2 2 " < pq < 2 2n+2 . 



3. The AAp Public Key Cryptosystem 



p = 3(mod4), 2 n <p< 
g = 3(mod4), 2™ < q < 
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• Encryption by Busu 

INPUT: The public key tuple (n, e^i, e^) and the message M. 
OUTPUT: The ciphertcxt C. 

(1) Represent the message M as a 4n-bit integer m within the interval (2 4 ™-\ 2 4n ) 
with m = mi • 2 n + m 2 where mi is a 3n + 1-bit integer within the interval 
(2 3 ™,2 3n+1 ) and m 2 is a n - 1-bit integer within the interval (2™~ 2 , 2™" 1 ). 

(2) Choose a random n-bit integer fci within the interval (2™ _1 , 2") and com- 
pute U = mi • 2™ + fci. We have 2 4n < {/ < 2 4n+1 . 

(3) Choose a random n-bit integer k 2 within the interval (2 n_1 , 2") and com- 
pute and compute V = m 2 ■ 2™ + fc 2 . We have 2 2 ™~ 2 < V < 2 2 ™" 1 . 

(4) Compute C = Uexi + U 2 e yl 2- 

(5) Send ciphertext C to Along. 

4. Decryption 

Proposition 4.1. Decryption by Along is conducted in the following steps: 

INPUT: The private key (pq, d) and the ciphertext C. 
OUTPUT: The plaintext M. 

(1) Compute W = Cd(mod pq). 

(2) Compute Mi = q~ 1 (mod p) and M 2 = p~ 1 (mod q). 

(3) Compute 

p+l q+l 

x p = W 4 (modp) 7 x q = W 4 (mod q). 

(4) Compute 

Vi = XpMiq + x q M 2 p (mod pq), 

V 2 = x p Miq - x q M 2 p (mod pq), 
V3 = -XpMiq + x q M 2 p (mod pq), 
V4 = —XpMiq — x q M 2 p (mod pq). 

(5) For i = 1, 2, 3, 4 compute Ui = ~^^ A2 ■ 

(6) Sort the pair (Uj, Vj) for integer Uj. 

(7) Compute integral part mi = |_ . 

(8) Compute integral part m 2 = L^J- 

(9) Form the integer m = mi • 2" + m 2 . 

(10) Transform the number m to the message M. 

(11) Return the message M. 

We now proceed to give a proof of correctness. 

Along will begin by computing W = Cd = V 2 (mod pq) . Along will then have to 
solve W = V 2 (mod pq) using the Chinese Remainder Theorem. 
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Lemma 4.2. Let p and q be two different primes such that p = 3(mod 4) and 
q = 3(mod 4). Define x p and x q by 

x p = W 2 ^ {mod p),x q = W 3 ^ (mod q). 

Then the solutions of the equation x 2 = W(modp) are ±x p (mod p) and the solu- 
tions of the equation x 2 = W(mod q) are ±x q (mod q). 

Lemma 4.3. Let p and q be two different primes such that p = 3(mod 4) and 
q = 3(mod 4). Define x p and x q by 

x p = (mod p),x q = W 3 ^ (mod q). 

Define Mi = q~ 1 (mod p) and M 2 = p~ 1 (mod q). Then the solutions of the equation 
V 2 = W(mod pq) are 

Vi = x p Miq + x q M 2 p (mod pq), 

V 2 = XpMiq - x q M 2 p (modpq), 
V 3 = -XpMiq + x q M 2 p (mod pq), 
Va = —XpM\q — x q M 2 p (mod pq). 

To solve the equation V 2 = ^(mod pq), we use the Chinese Remainder Theorem. 
Consider the equations x 2 = ^(mod p) and x 2 = ^(mod q). Then the solution of 
the equation V 2 = ^(mod pq) are the four solutions of the four systems 

V = ±x p (mod p) 

V = ^^^^(mod q) 

Define Mi = q~ 1 (mod p) and M 2 = p _1 (mod q). We will get explicitly 

V\ = XpMiq + x q M 2 p (mod pq), 
V 2 = XpMiq — x q M 2 p (mod pq), 
V 3 = -XpMiq + x q M 2 p (mod pq), 
Vi = —XpMiq — x q M 2 p (mod pq). 
It can be seen that solving V 2 = W (mod pq), we will get four solutions Vi for 
i = 1,2,3,4. 

We prove below that only one of them leads to the correct decryption and con- 
sequently, there is no decryption failure. 

Lemma 4.4. Let C be an integer representing a ciphertext encrypted by the AAp 
algorithm. The equation C = UeAi + V 2 ca 2 has only one solution satisfying V < 

22n-l 

Proof. Suppose for contradiction that there are two couples of solutions (Ui,Vi) 
and (U 2 ,V 2 ) of the equation C = Ue A i + V 2 e A2 with V x ± V 2 and Vi < 2 2n -\ 
Then U\eA\ + V 2 e A2 = U 2 e A i + V 2 e A2 . Using e A i — p 2 q, this leads to 

(U 2 - Uitfq - (Vi + V 2 )(V 1 - V 2 )e A2 . 

Since gcd(p 2 q, e A2 ) = 1, then p 2 q\(V\ + V 2 )(V\ — V 2 ) and the prime numbers p and 
q satisfy one of the conditions 



2,/ T/ _i_ \r \ / pq\(Vi±V 2 ) 
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Observe that p 2 > 2 2n and pq > 2 2n while \Vi ± V 2 \ < 2 • 2 2 ™- 1 = 2 2 ™. This implies 
that none of these conditions is possible. Hence the equation C = UeAi + V 2 eA2 
has only one solution with the parameters of the scheme □ 

4.1. Example. Let n = 16. Along will choose the primes p = 62683 and q = 62483. 
The public keys will be 

(1) e A1 = 245505609868187 

(2) e A2 = 4106878163802480 

The private keys will be 

(1) pq = 3916621889 

(2) d = 2486483 

Busu's message will contain the following parameters 

(1) mi = 544644664056570 

(2) m 2 = 21777 

Busu will also generate the following ephemeral random session keys 

(1) fci = 54433 

(2) k 2 = 33079 

Busu will then generate 

(1) U = 35693832703611425953 

(2) V = 1427210551 and consequently V 2 = 2036929956885723601 

The ciphertext will be C = 17128459327562266456602243879187691. 

To decrypt Along will first compute W = 3215349249. Along will then obtain the 

following root values 

Vi = 318887097, 
V 2 = 2489411338, 
V 3 = 1427210551, 

and 

V 4 = 3597734792. 

Only U 3 = C ~ e V £ eA2 will produce an integer value. That is U 3 = 35693832703611425953. 
Finally, mi and m 2 can be obtained. □ 

5. Basic Attacks 

5.1. Congruence attack. In this subsection we will observe the security of the ci- 
phertext equation C = Ucai + V 2 6a 2 when it is treated as a Diophantine equation. 
We will observe that solving the corresponding Diophantine equation parametric 
solution set for the unknown parameters U and V 2 will result in exponentially many 
candidates to choose from. 

From C = Ue A i + V 2 eA 2 and since gcd(e^i, &A 2 ) = 1 we have 

U = Ce^l = a (mod ev- 
idence U = a + e A2 j for some jgZ. Replacing into C we have 
C = Ue A i + V 2 e A2 = (a + e A2 j)e A i + V 2 e A2 - 
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Then, 

T/2 C-(a + e A2 j)e A1 C - e A1 a 

V = = e A iJ, 

GA2 CA2 

where c ~^ ia = b e Z. It follows that the equation C = Ue A \ + V 2 e A 2 has the 
parametric solutions 

U = a + eA2] and V 2 = b — baiJ- 



• Computing with U 

To find U = a + e A 2j, we should find an integer j such that 2 4n < U < 2 4n+1 . This 
gives 

2 4 " - a 2 4n+1 - a 
< J < • 

eA2 eA2 

We know that 2 3,l+4 < eA2 < 2 3n+e . Then the difference between the upper and 
the lower bound is 

2 4n+1 - a 2 4n - a _ 2 4 ™ 2 4 ™ _ 2 „_ 6 
^A2 e A 2 ~~~2 > 2 3 "+ 6 ~ 

Hence the difference is very large and finding the correct j is infeasible. 

• Computing with V 2 



To find V 2 = b - e A ij, we should find an integer j such that 2 4 "~ 4 < V < 2 4 "~ 2 . 
This gives 

2 4«-4 _ b 2 4 "- 2 - b 
> j > • 

-&a\ -eAi 
We know that 2 3 ™ < e^i < 2 3n+3 . Then the difference between the upper and the 
lower bound is 

2 4«-4 _ b 2 4 ™-2 - b 3 • 2 4 ™~ 4 n _ 7 
— — 3 ■ 2 



— e-Ai —e-Ai e-Ai 

Hence the difference is very large and finding the correct j is infeasible. 



5.2. Coppersmith type attack. 

Theorem 5.1. Let N be an integer of unknown factorization. Furthermore, let 
Jn{x) be an univariate, monic polynomial of degree 5. Then we can find all solutions 
x for the equation /jv(ar) = 0(mod N) with 

\x \ < N$. 

in time polynomial in (logN,5). 

Theorem 5.2. Let N be an integer of unknown factorization, which has a divisor 
b > N@ . Furthermore let fb(x) be an univariate, monic polynimial of degree S. 
Then we can find all solutions xo for the equation fb(x) = 0(mod b) with 

1 3 2 « 

\xo\ < 

in polynomial time in (logN,5, i). 
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• Attacking V 

With reference to Theorem 1. Let N = e^i = p 2 q and d! = e _1 (mod N). Compute 
W = Cd' = y 2 (mod N). Let f N (x) = x 2 -W = 0(mod TV). Hence, 6 = 2. Thus 
the root x = V can be recovered if V < sa 2 15n . But since V « 2 2 ™, this 
attack is infeasible. 

• Attacking d 

With reference to Theorem 2. We begin by observing fb{x) = ex — 1 = 0(mod pq) 
where pq in an unknown factor of N = eAi = p 2 q- Since pq > we have /3 = |. 
From we also have 5=1. By the Coppersmith theorem, the root xq = d can 

4 4 

be found if xo| < A^s.But since d > TVs, this attack is infeasible. 

5.3. Euclidean division attack. From C = UeAi + V 2 eA2, the size of each public 
parameter within C ensures that Euclidean division attacks does not occur. This 
can be easily deduced as follows: 

(1) h^J^ 

(2) m * v 2 

6. Analysis on lattice based attack 

The square lattice attack has been an efficient and effective means of attack upon 
schemes that are designed based on Diophantine equations. The AAp scheme has 
gone through analysis regarding lattice attacks while it went through the design 
process. Let C = UeAi + V 2 eA2 be an AAp ciphertext. Consider the diophan- 
tine equation eAiXi + &A2 X 2 — C. Introduce the unknown x 3 and consider the 
diophantine equation 

e A \X\ + e A 2%2 - Cx 3 = 0. 
Then (U, V 2 , 1) is a solution of the equation. Next let T be a number to fixed later. 
Consider the lattice C spanned by the matrix: 

/ 1 e A iT \ 
M = 1 e A2 T 

\ -CT J 

Observe that 

(x 1 ,x 2 ,x 3 )M = (x 1 ,x 2 ,T(e A iXi + e A2 x 2 - Cx 3 )). 

This shows that the lattice C contains the vectors (xi, x 2 , T(eA\X\ + eA2X 2 — Cx 3 )) 
and more precisely the vector-solution Vq — (U, V 2 ,0). Observe that the length of 
Vq satisfies 

||Vo|| = VU 2 + V* w 2 4n . 
On the other hand, the determinant of the lattice is det(£) = CT and the Gaussian 
heuristics for the lattice C asserts that the length of its shortest non-zero vector is 
usually approximately <j(£) where 
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If we choose T such that er(£) > ||Vo||, then Vo can be among the short non-zero 
vectors of the lattice C. To this end, T should satisfy 



7re N 3 2 



12n 



(6.1) T>{-) c 

Next, if we apply the LLL algorithm to the lattice C, we will find a basis (bi,b 2 , ^3) 
such that ||6i|| < ||6 2 || < ||6 3 || and 

ra(Ti-l) 1 

5. < 24(n+i-i) det(£)^TT^,for i = 1,...,4 and n = 3. 

Fori = 1, we choose T such that ||Vo|| < ||&i|| < 2i(CT)i. Using the approximation 
|| V 1| « 2 4 ™, this is satisfied if 

ol2n 

V>2-*._ 

which follows from the lower bound of equation (3). We experimented this result 
to try to find (U, V 2 , 0). The LLL algorithm outputs a basis with a matrix in the 
form 

(an ai2 
021 «22 
031 «32 I" 

If (U, V 2 , 0) is a short vector, then ([/, V 2 , 0) = (#1, x 2 , xs)Mi for some short vector 
(xi,X2,Xs). We then deduce the system 

anxi + a 2 ix 2 = U 
a 12 xx + a 2 2X 2 — V 2 

from which we can deduce that x 3 = 0. If we compute (UeAi — V r2 e J 4 2 )/C, we get 
x 2 = 1 for some x\. It follows that 

an^i + 021 = U 
012X1 + a 2 2 = V 2 

This situation is similar to the congruence attack. We can also observe that this is 
a system of two equations with three unknowns (i.e. x\, U, V). 



6.1. Example with lattice based attack. We will use the parameters in the 
earlier example. Observe the lattice £ spanned by the matrix: 

/ 1 e A1 T \ 
M = 1 e A2 T 

\ -CT J 

the length of the vector V = (U, V 2 ,0) is approximately || V ||w 35751905917344588937. 
We will use T = 2 20n which would result in the length of the vector V is shorter 
than the gaussian heuristic of the lattice C. 

The LLL algorithm outputs the matrix Mi given by: 

-4106878163802480 245505609868187 \ 
247367271832221073 4155888875658045598 
-1118395942494397 66856738131713 T ) 
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7. Underlying security principles 

7.1. The integer factorization problem. To find the unknown composite p and 
q such that cai = p 2 q. 

7.2. The square root modulo problem. Since gcd(e J 4i, cat) = 1, one can obtain 
the relation V 2 = a(mod cai)- Since cai = p 2 q, then this is equivalent to calcu- 
lating square roots modulo composite integers with unknown factorization which is 
infeasible. 

7.3. The modular reduction problem. Since gcd(e J 4i, &A2) = 1, one can obtain 
U = /3(mod BA2)- Since U 3> eA2, to compute U prior to modular reduction by e^2 
is infeasible. 

7.4. Equivalence with integer factorization. From C = UeAi + V 2 eA2 we have 

C = V 2 {mod e A1 ) 

where &a\ — P 2 q is of unknown factorization. We show here that solving this 
congruence relation is equivalent to factoring eAi- If we know the factorization of 
eAi, then it is easy to solve the congruence relation. Conversely, suppose that we 
know all the solutions. By Lemma 2, the four solutions are 

V\ = x p M\q + x q M 2 p (mod pq), 

V 2 = x p Miq - x q M 2 p (mod pq), 
V3 = -XpMiq + x q M 2 p (mod pq), 
V4 = —XpMiq — x q M 2 p (mod pq). 

and are such that Vi < pq for i = 1, 2, 3, 4. We will now have V1+V3 = 2x q M 2 p+apq 
for some integer a. Then V1 + V3 = 0(mod p). On the other hand, Vy + V3 < 2pq < 
p 2 q. Hence V± + V3 ^ 0(mod p 2 q). Therefore 

p = gcd(eAi,Vi + V3) = gcd(p 2 q, Vi + V 3 ). 

Hence q = fy. 

8. Table of Comparison 

The following is a table of comparison between RSA, ECC, NTRU and AAp. 
Let \E\ denote public key size. The AAp cryptosystem has the ability to encrypt 
large data sets (i.e. 4n-bits of data per transmission). The ratio of M : \E\ suggests 
better economical value per public key bit being used. 



Algorithm 


Encryption 


Decryption 


Ratio 


Ratio 




Speed 


Speed 


M : C 


M : \E\ 


RSA 


0{n 4 ) 


0(n 3 ) 


1 : 1 


1 : 2 


ECC 


0{n 6 ) 


0(n 3 ) 


1 : 2 


1 : 2 


NTRU 


0(n 2 ) 


0(n 2 ) 


Varies [4] 


N/A 


AAp 


0(n z ) 


0{n 6 ) 


1 : 1.75 


1 : 1.5 



Table 1. Comparison table for input block of length n 
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9. Conclusion 

The asymmetric scheme presented in this paper provides a secure avenue for 
implementors who need to transmit up to 4n-bits of data per transmission. With 
an expansion rate of 1 : 1.75 the ciphcrtext to be transmitted is not much more 
larger than the ratio of the ECC. Eventhough its expansion rate is larger than 
RSA, this is only natural since it is transmitting a larger data set. This will give 
a significant contribution in a niche area for implementation of asymmetric type 
security in transmitting large data sets. 

The scheme is also comparable to the Rabin cryptosystem with the advantage 
of having a unique decryption result. It has achieved an encryption speed with 
complexity order of 0(n 2 ) and it also has a simple mathematical structure for easy 
implementation. 
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